Open-AuditIT Professional 2.1 Cross-Site Scripting

2018.03.29
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 3.5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 6.8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

# Exploit Title: Open-AuditIT Professional 2.1 - Stored Cross site scripting (XSS) # Date: 27-03-2018 # Exploit Author: Nilesh Sapariya # Contact: https://twitter.com/nilesh_loganx # Website: https://nileshsapariya.blogspot.com # Vendor Homepage: https://www.open-audit.org/ # Version: 2.1 # CVE : CVE-2018-8903 # Category: Webapp Open-AuditIT Professional 2.1 1. Description:- It was observed that attacker is able to inject a malicious script in the Application. As server is not filtering the inputs provided by an attacker and the script executes in the victim browser when he tries to visit the page 2. Proof of Concept Login into Open-AuditIT Professional 2.1 1] Go to Home ==> Credentials 2] Enter XSS payload in Name and Description Field "><img src=x onerror=alert(1337);> 3] Click on Submit Visi this page :- http://localhost/omk/open-audit/credentials ​​3] POCs and steps: https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html

Referencje:

https://nileshsapariya.blogspot.ae/2018/03/csrf-to-xss-open-auditit-professional-21.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top